4 Authentication Credentials Types of authentication credentials What you have Example: key fob to lock your car What you are Example: facial characteristics recognized by health club attendant What you know Example: combination to health club locker Security+ Guide to Network Security Fundamentals, Fourth Edition 4

6 What You Know: Passwords User logging in to a system Asked to identify himself User enters username User asked to authenticate User enters password Passwords are most common type of authentication today Passwords provide only weak protection Security+ Guide to Network Security Fundamentals, Fourth Edition 6

7 Password Weaknesses Weakness of passwords is linked to human memory Humans can only memorize a limited number of items Long, complex passwords are most effective Most difficult to memorize Users must remember passwords for many different accounts Security policies mandate passwords must expire Users must repeatedly memorize passwords Security+ Guide to Network Security Fundamentals, Fourth Edition 7

8 Password Weaknesses (cont d.) Users often take shortcuts Using a weak password Examples: common words, short password, or personal information Reuse the same password for multiple accounts Easier for attacker who compromises one account to access others Security+ Guide to Network Security Fundamentals, Fourth Edition 8

14 Attacks on Passwords (cont d.) Steps for using a rainbow table Creating the table Chain of plaintext passwords Encrypt initial password Feed into a function that produces different plaintext passwords Repeat for a set number of rounds Using the table to crack a password Run encrypted password though same procedure used to create initial table Results in initial chain password Security+ Guide to Network Security Fundamentals, Fourth Edition 14

15 Attacks on Passwords (cont d.) Using the table to crack a password (cont d.) Repeat, starting with this initial password until original encryption is found Password used at last iteration is the cracked password Rainbow table advantages over other attack methods Can be used repeatedly Faster than dictionary attacks Less machine memory needed Security+ Guide to Network Security Fundamentals, Fourth Edition 15

18 Password Defenses (cont d.) General observations to create strong passwords Do not use dictionary words or phonetic words Do not use birthdays, family member or pet names, addresses or any personal information Do not repeat characters or use sequences Do not use short passwords Managing passwords One important defense: prevent attacker from obtaining encrypted password file Security+ Guide to Network Security Fundamentals, Fourth Edition 18

19 Password Defenses (cont d.) Managing passwords (cont d.) Defenses against password file theft Do not leave computer unattended Screensavers should be set to resume with a password Password protect the ROM BIOS Physically lock the computer case so it cannot be opened Good password management practices Change passwords frequently Do not reuse old passwords Security+ Guide to Network Security Fundamentals, Fourth Edition 19

20 Password Defenses (cont d.) Good password management practices (cont d.) Never write password down Use unique passwords for each account Set up temporary password for another user s access Do not allow computer to automatically sign in to an account Do not enter passwords on public access computers Never enter a password while connected to an unencrypted wireless network Security+ Guide to Network Security Fundamentals, Fourth Edition 20

21 Password Defenses (cont d.) Other guidelines Use non-keyboard characters Created by holding down ALT key while typing a number on the numeric keypad Password supplements Problem: managing numerous strong passwords is burdensome for users One solution: rely on technology to store and manage passwords Security+ Guide to Network Security Fundamentals, Fourth Edition 21

27 What You Have: Tokens and Cards (cont d.) User login steps with a token User enters username and code from token Authentication server looks up algorithm associated with that user, generates its own code, and compares it to user s code If a match, user is authenticated Advantages over passwords Token code changes frequently Attacker would have to crack code within time limit Security+ Guide to Network Security Fundamentals, Fourth Edition 27

29 What You Have: Tokens and Cards (cont d.) Advantages over passwords (cont d.) User may not know if password has been stolen If token is stolen, it becomes obvious Steps could be taken to disable account Token system variations Some systems use token code only Others use code in conjunction with password Some combine PIN with token code Security+ Guide to Network Security Fundamentals, Fourth Edition 29

37 What You Are: Biometrics (cont d.) Voice recognition Several characteristics make each person s voice unique Voice template can be created Difficult for an attacker to authenticate using a recording of user s voice Phonetic cadence of putting words together is part of real speech pattern Security+ Guide to Network Security Fundamentals, Fourth Edition 37

39 What You Are: Biometrics (cont d.) Cognitive biometrics (cont d.) Easier for user to remember because it is based on user s life experiences Difficult for an attacker to imitate Example: identifying specific faces Example: user selects memorable lifetime events and is asked for details about them Predicted to become a key element of authentication in the future Security+ Guide to Network Security Fundamentals, Fourth Edition 39

40 Single Sign-On Identity management Using a single authentication credential shared across multiple networks Called federated identity management (FIM) when networks are owned by different organizations Single sign-on (SSO) holds promise to reduce burden of usernames and passwords to just one Security+ Guide to Network Security Fundamentals, Fourth Edition 40

41 Windows Live ID Introduced in 1999 as.net passport Name changed to Microsoft Passport Network, then Windows Live ID Designed as an SSO for Web commerce Authentication process User enters username and password User given time limited global cookie stored on computer with encrypted ID tag ID tag sent to Web site Security+ Guide to Network Security Fundamentals, Fourth Edition 41

43 OpenID Decentralized open source FIM Does not require specific software to be installed on the desktop URL-based identity system OpenID provides a means to prove a user owns the URL Authentication process User goes to free site and given OpenID account of Me.myopenID.com Security+ Guide to Network Security Fundamentals, Fourth Edition 43

44 OpenID (cont d.) Authentication process (cont d.) User visits Web commerce or other site and signs in using his Open ID Site redirects user to MyOpenID.com where he enters password to authenticate MyOpenID.com sends him back to Web site, now authenticated Security weaknesses Relies on DNS which may have own weaknesses Not considered strong enough for most banking and e-commerce Web sites Security+ Guide to Network Security Fundamentals, Fourth Edition 44

45 Open Authorization (OAuth) Permits users to share resources stored on one site with a second site Without forwarding authentication credentials Allows seamless data sharing among sites Relies on token credentials Replaces need to transfer user s username and password Tokens are for specific resources on a site For a limited time period Security+ Guide to Network Security Fundamentals, Fourth Edition 45

49 Trusted Operating Systems Operating system basic flaws Size: millions of lines of code make vulnerabilities difficult to recognize One compromised application can impact entire computer Applications cannot authenticate themselves to each other No trusted path between users and applications Operating systems do not use principle of least privilege Security+ Guide to Network Security Fundamentals, Fourth Edition 49

50 Trusted Operating Systems (cont d.) Trusted operating system (trusted OS) OS designed to be secure from the ground up Can keep attackers from accessing critical parts of the system Can prevent administrators from inadvertently making harmful changes Vendors developing trusted OSs Focusing on securing OS components and other platform elements One approach: compartmentalize services within trusted OS for individual customers Security+ Guide to Network Security Fundamentals, Fourth Edition 50

51 Summary Authentication credentials can be classified into three categories: what you know, what you have, and what you are Passwords provide a weak degree of protection Must rely on human memory Most password attacks today use offline cracking Attackers steal encrypted password file A token is a small device that generates a code from an algorithm once every 30 to 60 seconds Security+ Guide to Network Security Fundamentals, Fourth Edition 51

52 Summary (cont d.) Biometrics bases authentication on characteristics of an individual Standard, behavioral, and cognitive biometrics Single sign-on allows a single username and password to gain access to all accounts Group Policy settings allow an administrator to set password restrictions for an entire group at once Trusted operating systems are designed for security from the ground up Security+ Guide to Network Security Fundamentals, Fourth Edition 52

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 7 Access Control Fundamentals Objectives Define access control and list the four access control models Describe logical access control

Two-Factor Authentication and Swivel Abstract This document looks at why the username and password are no longer sufficient for authentication and how the Swivel Secure authentication platform can provide

CYBER SECURITY OPERATIONS CENTRE (UPDATED) 201 (U) LEGAL NOTICE: THIS PUBLICATION HAS BEEN PRODUCED BY THE DEFENCE SIGNALS DIRECTORATE (DSD), ALSO KNOWN AS THE AUSTRALIAN SIGNALS DIRECTORATE (ASD). ALL

Test Out Online Lesson 12 Schedule Section 12 MUST BE COMPLETED BY: 4/22 Section 12.1: Best Practices This section discusses the following security best practices: Implement the Principle of Least Privilege

WHITE PAPER Smart Card Authentication for J2EE Applications Using Vintela SSO for Java (VSJ) SEPTEMBER 2004 Overview Password-based authentication is weak and smart cards offer a way to address this weakness,

Digital Signatures on iqmis User Access Request Form When a user clicks in the User Signature block on the iqmis Access Form, the following window appears: Click Save a Copy and rename it with your name,

ADVANCE AUTHENTICATION TECHNIQUES Introduction 1. Computer systems and the information they store and process are valuable resources which need to be protected. With the current trend toward networking,

RFG Secure FTP Web Interface Step 1: Getting to the Secure FTP Web Interface: Open your preferred web browser and type the following address: http://ftp.raddon.com After you hit enter, you will be taken

The Policy All passwords and personal identification numbers (PINs) used to protect City of New York systems shall be appropriately configured, periodically changed, and issued for individual use. Scope

Choosing an SSO Solution Ten Smart Questions Looking for the best SSO solution? Asking these ten questions first can give your users the simple, secure access they need, save time and money, and improve

The Password Problem Will Only Get Worse New technology for proving who we are Isaac Potoczny-Jones Galois & SEQRD ijones@seqrd.com @SyntaxPolice Goals & Talk outline Update the group on authentication

Chapter 15: Computer and Network Security Complete CompTIA A+ Guide to PCs, 6e What is in a security policy Mobile device security methods and devices To perform operating system and data protection How

General tips for increasing the security of using First Investment Bank's internet banking Dear Clients, First Investment Bank (Fibank, the Bank) provides you with high level of protection and security

managing SSO with shared credentials Introduction to Single Sign On (SSO) All organizations, small and big alike, today have a bunch of applications that must be accessed by different employees throughout

IDENTITY MANAGEMENT February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in part without

Two-Factor Authentication Making Sense of all the Options The electronic age we live in is under attack by information outlaws who love profiting from the good record of others. Now more than ever, organizations

CHOOSING THE RIGHT PORTABLE SECURITY DEVICE A guideline to help your organization chose the Best Secure USB device Introduction USB devices are widely used and convenient because of their small size, huge

1 Layered security in authentication. An effective defense against Phishing and Pharming The most widely used authentication method is the username and password. The advantages in usability for users offered

ROOTKIT stealthy software with root/administrator privileges aims to modify the operation of the OS in order to facilitate a nonstandard or unauthorized functions unlike virus, rootkit s goal is not to

Enhanced Security for Online Banking MidSouth Bank is focused on protecting your personal and account information at all times. As instances of internet fraud increase, it is no longer sufficient to use

Convenience and security ControlSphere is a computer security and automation solution designed to protect user data and automate most of authentication tasks for the user at work and home environments.

Enhancing network security through the authentication process Multi-Factor Authentication Passwords, Smart Cards, and Biometrics INTRODUCTION Corporations today are investing more time and resources on

Microsoft.NET Passport, a solution of single sign on Zheng Liu Department of Computer Science University of Auckland zliu025@ec.auckland.ac.nz Abstract: As the World Wide Web grows rapidly, accessing web-based

Purpose This document establishes the corporate policy and standards for ensuring that applications developed or purchased at LandStar Title Agency, Inc meet a minimum acceptable level of security. Policy

3D PASSWORD Tejal Kognule Yugandhara Thumbre Snehal Kognule ABSTRACT 3D passwords which are more customizable and very interesting way of authentication. Now the passwords are based on the fact of Human

EMR-Link Security Administration Guide Introduction This guide provides an overview of the security measures built into EMR-Link, and how your organization s security policies can be implemented with these

Security Guide BlackBerry Enterprise Service 12 for ios, Android, and Windows Phone Version 12.0 Published: 2015-02-06 SWD-20150206130210406 Contents About this guide... 6 What is BES12?... 7 Key features

PASSWORD MANAGEMENT February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in part without

Take the cost, complexity and frustration out of two-factor authentication Combine physical and logical access control on a single card to address the challenges of strong authentication in network security

IDRBT Working Paper No. 11 Authentication factors for Internet banking M V N K Prasad and S Ganesh Kumar ABSTRACT The all pervasive and continued growth being provided by technology coupled with the increased

Enterprise SSO Manager (E-SSO-M) Many resources, such as internet applications, internal network applications and Operating Systems, require the end user to log in several times before they are empowered

An Insight into Cookie Security Today most websites and web based applications use cookies. Cookies are primarily used by the web server to track an authenticated user or other user specific details. This

Desktop and Laptop Security Policy Appendix A Examples of Desktop and Laptop standards and guidelines 1. Implement anti-virus software An anti-virus program is necessary to protect your computer from malicious

RSA SecurID Authentication in Action: Securing Privileged User Access RSA SecurID solutions not only protect enterprises against access by outsiders, but also secure resources from internal threats The

system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users. From a high-level standpoint, attacks on computer systems and networks can be grouped

BASELINE SECURITY TEST PLAN FOR EDUCATIONAL WEB AND MOBILE APPLICATIONS Published by Tony Porterfield Feb 1, 2015. Overview The intent of this test plan is to evaluate a baseline set of data security practices

Identity Access Management: Beyond Convenience June 1st, 2014 Identity and Access Management (IAM) is the official description of the space in which OneLogin operates in but most people who are looking

Security Awareness For Server Administrators State of Illinois Central Management Services Security and Compliance Solutions Purpose and Scope To present a best practice approach to securing your servers

Smart Card- An Alternative to Password Authentication By Ahmad Ismadi Yazid B. Sukaimi Purpose This paper is intended to describe the benefits of smart card implementation and it combination with Public